The script can be used in business rules, custom commands and scheduled tasks to deny pending approval requests to perform operations on the Active Directory object on which it is executed. It can be used, for example, as a part of the user deprovisioning process to clean up requests for operations on the user who is being deprovisioned.
Note: Pending approval requests are requests that have been neither approved, nor denied, nor canceled.
To run the script as a part of a business rule, scheduled task, or custom command, you need to use the Run a program or PowerShell script action.
Parameter:
- $denyReason - Specifies a reason to describe why the requests were denied.
PowerShell
$denyReason = "The user was deleted" # TODO: modify me
# Bind to the Approval Requests container
$requestsPath = $Context.GetWellKnownContainerPath("ApprovalRequests")
$container = $Context.BindToObject($requestsPath)
# Get all pending approval requests
$requests = $container.GetApprovalRequests("ADM_APPROVALSTATE_PENDING")
foreach ($requestID in $requests)
{
# Bind to the approval request
$guid = New-Object "System.Guid" (,$requestID)
$guid = $guid.ToString("B")
$requestPath = "Adaxes://<GUID=$guid>"
$request = $Context.BindToObject($requestPath)
# Get the target object GUID
$targetObjectGuid = New-Object "System.Guid" (,$request.Get("adm-TargetObjectGuid"))
$targetObjectGuid = $targetObjectGuid.ToString()
# Skip if the Approval Request does not request an operation on the target object
if($targetObjectGuid -ine "%objectGUID%")
{
continue
}
# Deny the request
$request.Deny($denyReason)
}